Transcription

1 Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc. Introduction In this whitepaper, we will configure a VPN tunnel between two SonicWALLs running SonicOS 2.0 Enhanced that use the same IP subnet on their LAN interface. With previous versions of SonicWALL firmware it was not possible to handle this situation, as the firmware was not capable of adequately performing NAT on VPN tunnel traffic. This new firmware feature is intended for use in situations where renumbering one of the networks is not an option, yet both sides must be able to communicate with each other despite using the same network numbers. For this test, we will configure both SonicWALLs with the same /24 subnet, but will attach hide subnets on each side, such that each side appears to have a separate, unique subnet. Notes When dealing with overlapping IP networks, SonicWALL will perform NATs in each direction for all traffic flowing across the VPN, in either direction. Because of this, it will be necessary to make sure the hide subnets are the same size as the overlap subnets. This method of NAT makes it easy to determine the appropriate hide address for each side, respectively. For example, if you have the same Class C network on each side, you ll need to use Class C hide subnets so that all potential addresses on each side can be mapped properly. So, when the tunnel is up, if you wished to reach a server on the other side of the tunnel whose true address is , you would contact it at ; persons on the other side of the tunnel wishing to reach resources on your side would do the same (i.e. replace the first three octets with the hide subnet, and not change the fourth octet). Network Map For this whitepaper, we will use the following network map to show how it is possible to deal with overlapping IP subnets (see Figure 1, next page). You will need to address the WAN interfaces of the PRO4060 devices with unique, publically reachable static IP addresses. For this example, we will be using /24 as the example for the overlapping IP subnets. 1

2 Figure 1 Network Testbed for NAT/VPN Overlap Test Setup Steps Address both PRO4060 units as shown in the network map above. Make sure that both devices have the same subnet attached ( /24). Attach and address the servers as shown ( /24). The LAN interfaces of each PRO4060 should be /24. Assign the unique WAN IP addresses per your ISP-provided settings. PRO4060 CHICAGO Log into the management GUI of the PRO4060 labelled CHICAGO (see network map above), using a web browser on the server located at Go to the Network > Address Objects section and click on the Add button. Create a network object called local_hide of type Network with values , zone assignment LAN. Then, create a network object called remote_hide of type Network with values , zone assignment VPN. These are the two hide subnets that we ll be using when creating the VPN tunnel between the two PRO4060 devices. The PRO4060 at CHICAGO will think that the network behind SEATTLE is /24, and the PRO4060 at SEATTLE will think that the network behind CHICAGO is /24. 2

3 Figure 2 CHICAGO Hide Networks Next, go to the VPN > Settings menu and click on the Add button. When the pop-up screen, appears, enter the following values for the General tab (figure 3): IPSec Keying Mode: IKE Using Preshared Secret Name: to_seattle IPSec Primary Gateway Name or Address: fill in with WAN IP address of other PRO4060 IPSec Secondary Gateway Name or Address: leave blank Shared Secret: enter complex password; you will need to enter the same on the other PRO4060 Local IKE ID (optional): leave blank; firewall will autopopulate Peer IKE ID (optional): leave blank, firewall will autopopulate Once these values have been set, click on the Network tab (figure 4). On this tab, enter the following values: Under Local Networks select the radio button next to Choose local network from list and from the drop-down box next to this, select LAN Primary Subnet Under Destination Networks select the radio button next to Choose destination network from list and from the drop-down box next to this, select remote_hide Once these values have been set, click on the Advanced tab (figure 5). We will be using the defaults on the Proposals tab, so please skip this tab. On the Advanced tab, enter the following values: Check the box next to Apply NAT Policies From the drop-down next to Translated Local Network, select local_hide From the drop-down next to Translated Remote Network, select Original Once these values have been set, click on the OK button to save and activate the changes. 3

6 Next, go to the VPN > Settings menu and click on the Add button. When the pop-up screen, appears, enter the following values for the General tab (figure 7): IPSec Keying Mode: IKE Using Preshared Secret Name: to_chicago IPSec Primary Gateway Name or Address: fill in with WAN IP address of other PRO4060 IPSec Secondary Gateway Name or Address: leave blank Shared Secret: enter complex password you used on other PRO4060 Local IKE ID (optional): leave blank; firewall will autopopulate Peer IKE ID (optional): leave blank, firewall will autopopulate Once these values have been set, click on the Network tab (figure 8). On this tab, enter the following values: Under Local Networks, select the radio button next to Choose local network from list and from the drop-down box next to this, select LAN Primary Subnet Under Destination Networks, select the radio button next to Choose destination network from list and from the drop-down box next to this, select remote_hide Once these values have been set, click on the Advanced tab (figure 9). We will be using the defaults on the Proposals tab, so please skip this tab. On the Advanced tab, enter the following values: Check the box next to Apply NAT Policies From the drop-down next to Translated Local Network, select local_hide From the drop-down next to Translated Remote Network, select Original Once these values have been set, click on the OK button to save and activate the changes. Figure 7 SEATTLE VPN General Policy Tab 6

8 Testing From each side, activate the tunnel by opening a connection to the other side s server. In this test scenario, the server behind the CHICAGO firewall can be reached across the tunnel at , and the server behind the SEATTLE firewall can be reached across the tunnel at Ensure that you can reach each server via HTTP and FTP from the other side across the tunnel using these hide addresses. If you cannot reach the servers across the VPN tunnel, log into each PRO4060 device and check to see if the tunnels have negotiated (if they have negotiated successfully, the firewall will list the active tunnel under Currently Active VPN tunnels in the VPN > Settings menu). 8

CradlePoint to SonicWall TZ Series Firewall VPN Example Summary This configuration covers an IPSec VPN tunnel setup between a CradlePoint Series 3 router and a Sonicwall TZ210 firewall. IPSec is customizable

Cradlepoint to Paloalto VPN Example Summary This configuration covers an IPSec VPN tunnel setup between a Cradlepoint Series 3 router and a Paloalto firewall. IPSec is customizable on both the Cradlepoint

SSL-VPN Using SonicWALL NetExtender to Access FTP Servers Problem: Using NetExtender to access an FTP Server on the LAN segment of a SonicWALL PRO 4060. Solution: Perform the following setup steps. Step

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel This document describes the procedures required to configure an IPSec VPN tunnel between a WatchGuard SOHO or SOHO tc and a Check Point FireWall-1.

Using IPsec VPN to provide communication between offices This example provides secure, transparent communication between two FortiGates located at different offices using route-based IPsec VPN. In this

VPN between Two SonicWALLs VPN between two SonicWALLs allows users to securely access files and applications at remote locations. The first step to set up a VPN between two SonicWALLs is creating corresponding

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection This setup example uses the following network settings: In our example the IPSec VPN tunnel is established between two LANs: 192.168.0.x

SonicOS Configuring WAN Failover & Load-Balancing Introduction This new feature for SonicOS 2.0 Enhanced gives the user the ability to designate one of the user-assigned interfaces as a Secondary or backup

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network This recipe uses the IPsec VPN Wizard to provide a group of remote ios users with secure, encrypted access to the

Configuration Guide How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall Overview This document describes how to implement IPSec with pre-shared secrets establishing

Configuration Guide How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall Overview This document describes how to implement IPSec with pre-shared secrets establishing

How to create IPSec tunnels by Windows XP built in VPN client? (not using DrayTek SmartVPN) Topology In this example, a PC with Windows XP system dials up an IPSEC VPN connection to Vigor router. The IP

Configuring VPN from Proventia M Series Appliance to Check Point Systems January 13, 2004 Overview This document describes how to configure a VPN tunnel from a Proventia M series appliance to Check Point

Prepared by SonicWALL, Inc. 6/10/2003 Introduction: VPN standards are still evolving and interoperability between products is a continued effort. SonicWALL has made progress in this area and is interoperable

How To Configure L2TP between Cyberoam and Windows 7 How To Configure L2TP VPN between Cyberoam and Windows 7 Applicable Version: 10.00 onwards Scenario Configure and establish an L2TP connection between

How to configure IPSec VPN between a CradlePoint router and a Fortinet router Summary This article presents an example configuration of a Policy-Based site-to-site IPSec VPN tunnel between a Series 3 CradlePoint

VPN Configuration Guide ZyWALL (4.x Firmware) 2010 equinux AG and equinux USA, Inc. All rights reserved. Under copyright law, this configuration guide may not be copied, in whole or in part, without the

How To Configure Apple ipad for Cyberoam L2TP VPN Connection Applicable to Version: 10.00 (All builds) Layer 2 Tunneling Protocol (L2TP) can be used to create VPN tunnel over public networks such as the

NetVanta 2000 Series Technical Note How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS) This document is applicable to NetVanta 2600 series, 2700 series,

VPN Configuration Guide LANCOM equinux AG and equinux USA, Inc. 2009 equinux USA, Inc. All rights reserved. Under the copyright laws, this manual may not be copied, in whole or in part, without the written

Configuring IPsec VPN between a FortiGate and Microsoft Azure The following recipe describes how to configure a site-to-site IPsec VPN tunnel. In this example, one site is behind a FortiGate and another

Router on both sides of Tunnel The figure below shows a situation where the Conel/Spectre router is situated on both sides of OpenVPN tunnel. IP address of SIM cards in the router can be static or dynamic.

VPN Configuration Guide Dell SonicWALL 2013 equinux AG and equinux USA, Inc. All rights reserved. Under copyright law, this manual may not be copied, in whole or in part, without the written consent of

Configuring the PIX Firewall with PDM Objectives In this lab exercise you will complete the following tasks: Install PDM Configure inside to outside access through your PIX Firewall using PDM Configure

Multi- Site Dual ISP Redundant Site- to- Site VPN with OSPF Failover By Mike Lutgen January 2016 This document covers the configuration of a multi- site VPN scenario with dual ISPs and quadruple VPN tunnels

How To Establish IPSec VPN Tunnel between Cyberoam and Cisco ASA using Preshared key How To Establish IPSec VPN Tunnel Between Cyberoam and Cisco ASA using Preshared Key Product: The information in this

VPN Configuration Guide LANCOM equinux AG and equinux USA, Inc. 2008 equinux USA, Inc. All rights reserved. Under the copyright laws, this manual may not be copied, in whole or in part, without the written

How to Configure an IPsec Site-to-Site VPN to a Microsoft Azure VPN Gateway You can configure your local Barracuda NG Firewall to connect to the IPsec VPN gateway service in the Windows Azure cloud. In

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1 This document describes how to configure an IPSec tunnel between a WatchGuard Firebox Vclass appliance (Vcontroller version

VPN Configuration Guide D-Link DFL-800 Revision 1.0.0 equinux AG and equinux USA, Inc. 2007 equinux USA, Inc. All rights reserved. Under the copyright laws, this manual may not be copied, in whole or in

Global VPN Client Getting Started Guide 1 Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION: A CAUTION indicates potential

How To Apply NAT over Site-to-Site VPN connection How To Apply NAT over Site-to-Site VPN connection Applicable Version: 10.00 onwards Scenario Consider the following network wherein both the Head Office

Configuration Guide How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios Overview The iphone is a line of smartphones designed and marketed by Apple Inc. It runs Apple s IOS mobile

VPN Configuration Guide Cisco Small Business (Linksys) WRVS4400N / RVS4000 2010 equinux AG and equinux USA, Inc. All rights reserved. Under copyright law, this configuration guide may not be copied, in

intelligence at the edge of the network www.critical-links.com edgebox V4.5 How to Configure and Use VPN s Introduction: The VPN panels allow the configuration of edgebox for IPSec, PPTP and L2TP connectivity.

Creating a VPN with overlapping subnets This recipe describes how to construct a VPN connection between two networks with overlapping IP addresses in such a way that traffic will be directed to the correct

SonicOS Using Microsoft s CA Server with SonicWALL Devices Introduction You can use the Certificate Server that ships with Windows 2000/2003 Server to create certificates for SonicWALL devices, as well

How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key